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Abstract 



' We review the quantum version of a well known problem of cryp- 

QO , tography called coin tossing ("flipping a coin via telephone"). It can be 

QO ■ regarded as a game where two remote players (who distrust each other) 

' tries to generate a uniformly distributed random bit which is common to 

both parties. The only resource they can use to perform this task is a 
classical or quantum communication channel. In this paper we provide a 
general overview over such coin tossing protocols, concerning in particular 
their security. 



1 Introduction 

C . 

Coin flipping was introduced in 1981 by Blum § as a solution to the following 
cryptograhic problem (cited from Q]): "Alice and Bob want to flip a coin by 
telephone. (They have just divorced, live in different cities, want to decide who 
gets the car.) Bob would not like to tell Alice heads and hear Alice (at the other 
k> \ end of the line) say: Here it goes... I'm flipping the coin... You lost!". Hence 

5_i ■ the basic difficulties are: both players (Alice and Bob) distrust each other, there 

is no trustworthy third person available and the only resource they can use is 
the communication channel. Although this problem sounds somewhat artificial, 
coin tossing is a relevant building block which appears in many cryptograhic 
protocols. 

Within classical cryptography coin tossing protocols are in general based on 
assumptions about the complexity of certain computational tasks like factoring 
of large integers, which are unproven and, even worse, break down if quantum 
computers become available. A subset of classical cryptography which suffer 
from similar problems are public key cryptosystems. In this case however a 
solution is available in form of quantum key distribution (cf. Q for a review) 
whose security is based only on the laws of quantum mechanics and no other 
assumptions. Hence the natural question is: Does quantum mechanics provide 
the same service for coin-tossing, i.e. is there a perfectly secure quantum coin- 
tossing protocol? Although the answer is, as we will see, "no" [||, |hJ, quantum 
coin-tossing provides a reasonable security improvement over classical schemes. 

*e-mail: claus . doescherOt-online.de 
t e-mail: rn.keylOtu-bs.de 
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The purpose of this paper is to give an overview over this field, emphasizing 
in particular the game theoretic aspects, and to review some recent results. 
Therefore its outline is as follows: In Section ^ we give a short survey on classical 
and quantum systems and operations on them. This enables us in Section || 
to develop a general scheme which allows the description (and comparison) of 
quantum as well as classical coin tossing protocols (which are considered in 
Section §), and which points out the game theoretic aspects of the subject. 
In Section |^ we show how many questions, in particular optimality, can be 
reduced to a simplified scheme where only unitary operators and von Neumann 
measurements are involved. A recent example is given in Section [| and some 
conclusions are drawn in Section M. 



2 Systems, states and operations 

In general a quantum protocol requires manipulation and exchange of quantum 
as well as classical data. It is therefore useful, to have a unified description for 
all possible types of systems and operations which we will encounter (this is 
only a brief survey; for a more detailed and complete presentation see 0, Ch. 
2 and 3.). 

• Quantum Systems: According to the rules of quantum mechanics, every 
kind of quantum systems is associated with a Hilbert space Tt, which for 
the purpose of this article we can take as finite dimensional. The simplest 
quantum system has a two dimensional Hilbert space H = C 2 , and is 
called a qubit, for 'quantum bit'. The observables of the system are given 
by (bounded) operators. This space will be denoted by B(H). The prepa- 
rations (states) are given by density operators, i.e. positive (trace-class) 
operators p G B(H) with trace one. 

• Classical probability: The classical analog of a state of a (finite dimen- 
sional) quantum system is a probability distribution p x , x £ X on & finite 
set X of "elementary events" , i.e. X describes the possible outcomes of a 
(classical) statistical experiment, like tossing a coin (X = {head, number} 
or throwing a dice (X = {1, . . . , 6}), and p x is the probability that the 
outcome x occurs. Without loss of generality we will assume in the follow- 
ing that X = {1, . . . , n}, n G N holds. The classical information contained 
in p can be transformed easily into quantum information: We just have to 
prepare for each elementary event i£lan ?i-level quantum system (de- 
scribed by a Hilbert space /C) in a pure state \x)(x\ G B{K), where \x) G K,, 
x G X denotes a distinguished orthonormal basis and \x)(x\ is the projec- 
tor onto |x). If the event x G X occurs with probability p x , we get in this 
way quantum systems in the (mixed) state p p = ^ x Px\x){x\. Each state 
p which is diagonal in the basis \x), i.e. p = J2 X Px\x){x\, can be realized 
in this way, provided the initial probability distribution is p x , x G X . Now 
we introduce the space C(X) c B(JC) of diagoal (with respect to the basis 
\x)) operators on /C. According to our previous discussion we can identify 
the classical state space with the set of density operators in C(X). 

• Hybrid systems: This point of view is very handy, if we want to describe 
a "hybrid system" which contains a classical part, described by the set 
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X and a quantum part, described by the Hilbert space H: A state of 
a composite quantum system, consisting of two subsystems with Hilbert 
spaces Ti. and /C, is given by a density operator p on the tensor product 
H ® K., i.e. p G B{TL) ® B(1C). If one of the subsystem is classical, we only 
have to replace B(K-) by C(X). Hence: states of a hybrid system can be 
described by density operators p £ B(H) <g> C(X). It is easy to see that the 
elements of B(7i) <8> C(X) are operators which are block-diagonal of the 
form p = diag(pi, ... , p n ) with p x 6 B(TL). 

Summarizing our discussion up to now we can say that all three kinds of 
systems can be described in terms of a Hilbert space TC and a linear subspace 
A C B(7i') which we will call in the following the observable algebra^ of the 
system. The simple rule we have to follow is: states are described by density 
operators in A. 

This point of view is very useful if we consider channels which transform 
one kind of information into another, e.g. quantum to classical or hybrid. They 
are most naturally described in terms of completely positive, trace preserving 
maps T : A — > B, where A and B denote the observable algebras of the input 
respectively output systems, and T(p) is the state at the output side of the 
channel if the input system was in the state p. Alternatively we can consider 
the dual T* : B — > „4 of T, which is characterized by the condition tr(T* (A)p) = 
tr(AT{p)). It describes the operation in the Heisenberg picture, while T is the 
Schrodinger picture representation. The following list summarizes some special 
cases (arising from different choices for A and B) which will be relevant for the 
rest of the paper. 

• Quantum operations: If A = B = B(Tt) the map T describes a quan- 
tum operation. The most simple case is just unitary time-evolution, i.e. 
T(p) — U pU* with unitary operator U. In general however, we have to 
take interactions with additional, unobscrvablc degrees of freedom into 
account ("environment") and T becomes 



where /C and po denote Hilbert space and initial state of the environment 
(which can be chosen to be pure) and U describes now the common evolu- 
tion of both systems. It is a simple consequence of Stinespring's theorem 
that each quantum operation can be written this way. 

• Observables: If A is quantum (A = B(H)) and B is classical (B = C{X)) 
we can define T^ x ' = T*(|x)(a;|). It is easy to see that the family T^ x ' £ 
B(H), i 6 I of operators forms a POV measure, hence T describes a 
(generalized) observable and tr(pT^) is the probability to measure the 
value x on systems in the state p £ B(TL). We will identify in the following 
the observable T with the family and write: "let T = (T^, . . . , T<») 
be an observable". Note that this interpretation makes sense as well, if 
we insert for A a classical or hybrid algebra. Hence we can look at the 
corresponding observables as special cases of quantum observables. 

1 This name originates from the fact that 1. .A is in all three cases not only a linear space 
but a *-algebra (i.e., closed under multiplication and adjoints) and 2. that self-adjoint (i.e. 
"real valued") elements of A represent the (projection valued) observables of the system in 
question. 




(1) 
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• Instruments: If we are interested in the state of the quantum system after 
the measurement (in addition to the measuring result), we have to consider 
"Instruments" i.e. channels with quantum input (A = B(H)) and hybrid 
output (B = B(TC) ® C(X)). To each instrument T and each x £ X we can 
associate a (non trace preserving!) quantum operation T x : B(Tt) — ► B(TL) 
by T*(A) = T*(A ® |ar)(a;|). For each input state p the density operator 
tv(T x p)~ T(p) describes the state of the system after the measurement if 
the value x £ X was obtained, while the probability to measure x £ X is 
given by tv(T x p). Hence the observable (i.e. the POV measure) associated 
to T is = T*(J® |x)(a;|), x £ X. 

• Parameter dependent instruments: Finally, let us consider a channel with 
hybrid input and output, i.e. A = B = B(H) ® C(X). For each x £ X 
we get an instrument T x by T x (p) = T(p ® |x)(a:|). Hence T describes an 
instrument whose behavior depends on the additional classical input data 
x £ X. 

3 Coin tossing protocols 

Two players (as usual called Alice and Bob) are separated from each other and 
want to create a random bit, which can take both possible values with equal 
probability. However they do not trust each other and there is no trustworthy 
third person who can flip the coin for them. Hence they only can exchange data 
until they have agreed on a value or 1 or until one player is convinced that the 
other is cheating; in this case we will write for the corresponding outcome. 

To describe such a coin tossing protocol mathematically, we need three ob- 
servable algebras A, B and M, where A and B represent private information, 
which is only accessible by Alice and Bob respectively - Alice's and Bob's 
"notepad" - while M is a public area, which is used by both players to ex- 
change data. We will call it in the following the "mailbox" . Each of the three 
algebras A, B and M contain in general a classical and a quantum part, i.e. 
we have A = C(Xa) ® B(Ha) and similar for B and M. A typical choice is 
U A = U® n and X A = B m where H = C 2 and B denotes the field with two 
elements - in other words Alice's notepad consists in this case of n qubits and 
m classical bits. 

If Alice wants to send data (classical or quantum) to Bob, she has to store 
them in the mailbox system, where Bob can read them off in the next round. 
Hence each processing step of the protocol (except the first and the last one) 
can be described as follows: Alice (or Bob) uses her own private data and the 
information provided by Bob (via the mailbox) to perform some calculations. 
Afterwards she writes the results in part to her notepad and in part to the 
mailbox. An operation of this kind can be described by a completely positive 
map T A ■ A ® M — > A ® M, or (if executed by Bob) by Tb : M®B — > M®B. 

Based on these structures we can describe a coin tossing protocol as follows: 
At the beginning Alice and Bob prepare their private systems in some initial 
state. Alice uses in addition the mailbox system to share some information about 
her preparation with Bob, i.e. Alice prepares the system A ® M. in a (possibly 
entangled, or at least correlated) state p^ , while Bob prepares his notepad in 
the state p^ . Hence the state of the composite system becomes p^ = P^a ^P'b ■ 
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Figure 1: Schematic picture of a quantum coin-tossing protocol. The curly arrows 
stands for the flow of quantum or classical information or both. 



Now Alice and Bob start to operate alternately on the system, as described in 
the last paragraph, i.e. Alice in terms of operations T4 : A® M. — > A® A4 and 
Bob with T B : M ® B ^ M (& B. After A rounds^] the systems ends therefore 
in the state (cf. Figure |l|) 

P W = (Tf> g, Id B )(Id^ aT^) • • • (T< 2) ® Id s )(Id A (2) 

where Id^i, Ids are the identity maps on A and B. Note that we have assumed 
here without loss of generality that Alice performs the first (i.e. providing the 
initial preparation of the mailbox) and the last step (applying the operation Ta)- 
It is obvious how we have to change the following discussion if Bob starts the 
game or if N is odd. To determine the result Alice and Bob perform measure- 
ments on their notepads. The corresponding observables Ea = [E^ , E A ^ , E^ ) 
and Eb — [E B , E^ , E B ') can have the three possible outcomes X — {0, 1, 0}, 
which we have described already above. The tuples 

OA — [P A i 1 a > • • • > 1 A > Ea), cr B — {p B ,1 B , ■ ■ ■ , ± B , Eb) {A) 

consists of all parts of the protocol Alice respectively Bob can influence. Hence 
we will call a a Alice's and a B Bob's strategy. The sets of all strategies of Alice 
respectively Bob are denoted by T,a and Y, B - Note that Yja depends only on the 
algebras A and M while T, B depends on B and M. Occasionally it is useful to 
emphasize this dependency (the number of rounds is kept fixed in this paper). 
In this case we write Y*a[A,M) and T,b[B,M) instead of T,a and T, B . The 
probability that Alice gets the result a G X if she applies the strategy a a G ^a 
and Bob gets b <E X with strategy a B £ £_b is 

P((7a, *B] a, b) = tr[(4 Q) ® 1 ® 4 6) )P (JV) ] ■ (4) 

2 This means we are considering only turn based protocols. If special relativity, and therefore 
finite propagation speed for information, is taken into account it can be reasonable to consider 
simultaneous exchange of information; cf. e.g. Q| for details. 

3 Basically N is the maximal number of rounds: After K < N steps Alice (Bob) can apply 

( i) 

identity maps, i.e. T A ' = Id for j > K. 
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If both measurements in the last step yield the same result a = b = or 
1 the procedure is successful (and the outcome is a). If the results differ or 
if one player signals the protocol fails. As stated above we are interested in 
protocols which do not fail and which produce and 1 with equal probability. 
Another crucial requirement concerns security: Neither Alice nor Bob should 
be able to improve the probabilities of the outcomes or 1 by "cheating" , i.e. 
selecting strategies which deviate from the predefined protocol. At this point it 
is crucial to emphasize that we do not make any restricting assumptions about 
the resources Alice and Bob can use to cheat - they are potentially unlimited. 
This includes in particular the possibility of arbitrarily large notepads. In the 
next definition this is expressed by the (arbitrary) algebra 1Z. 

Definition 3.1 A pair of strategies (cr A ,a B ) £ ^a(*A., yVf) xSg(6, yV() is called 
a (strong) coin tossing protocol with bias e G [0, 1/2] if the following conditions 
holds for any (finite dimensional) observable algebra 1Z 

1. Correctness: P(a A , a B ; 0, 0) = P(a A , o- B ; 1, 1) = \, 

2. Security against Alice: Va' A G T, A (1Z, M) and Vx G {0, 1} we have 

P(a' A ,<j B ;x,x) <-+e (5) 

3. Security against Bob: Va' B € T, B (1Z, M) and Vx G {0, 1} we have 

F(a A ,a' B ;x,x)<^+e (6) 

The two security conditions in this definition imply that neither Alice nor 
Bob can increase the probability of the outcome or 1 beyond the bound 1/2+e. 
However it is more natural to think of coin tossing as a game with payoff defined 
according to the following table 





Alice 


Bob 


a=b=0 


1 





a=b=l 





1 


other 









(7) 



This implies that Alice tries to increase only the probability for the outcome 
and not for 1 while Bob tries to do the contrary, i.e. increase the probability for 
1. This motivates the following definition. 

Definition 3.2 A pair of strategies (a A} a B ) G T, A (A,M) xT, B (B,M) is called 
a weak coin tossing protocol, if item [] of Definition \3.j holds, and if items [J 
and are replaced by 

^' Weak security against Alice: Vc^ G T> A (7Z, M) we have 

P(<7^ )( 7 B ;0,0)<i + e, (8) 

U' Weak security against Bob: \/a' B G ^ B (TZ, M.) we have 

P(a A ,a' B ;l,l)< ^ + e. (9) 



G 



Here 1Z stands again for any finite dimensional (but arbitrarily large) observable 
algebra. 

Good coin tossing protocols are of course those with a small bias. Hence the 
central question is: What is the smallest bias which we have to take into account, 
and how do the corresponding optimal strategies look like? To get an answer, 
however, is quite difficult. Up to now there are only partial results available (cf. 
Section ^ for a summary) . 

Other but related questions arises if we exploit the game theoretic nature of 
the problem. In this context it is reasonable to look at a whole class of quantum 
games, which arises from the scheme developed up to now. We only have to fix 
the algebras^ A, B and M and to specify a payoff matrix as in Equation (fjj). 
The latter, however, has to be done carefully. If we consider instead of (Q) the 
payoff 





Alice 


Bob 


a=b=0 


1 


-1 


a=b=l 


-1 


1 


other 









(10) 



we get a zero sum game, which seems at a first look very reasonable. Unfor- 
tunately it admits a very simple (and boring) optimal strategy: Bob produces 
always the outcome 1 on his side while Alice claims always that she has measured 
0. Hence they never agree and nobody has to pay. The game from Equation (^) 
does not suffer from this problem, because a draw is for Alice as bad as the case 
a = b = 1 where Bob wins. 



4 Classical coin tossing 

Let us now add some short remarks on classical coin tossing, which is included 
in the general scheme just developed as a special case: We only have to choose 
classical algebras for A, B and M., i.e. A = C(Xa), B = C(X B ) and M = 
C{Xm)- The completely positive maps Ta and Tb describing the operations 
performed by Alice and Bob are in this case given by matrices of transition 
probabilities (see Sect. 3.2.3 of [[?} to see how to relate these matrices to the 
operations T). This implies in particular that the strategies in T,a, £b are in 
general mixed strategies. This is natural - there is of course no classical coin 
tossing protocol consisting of pure strategies, because it would lead always to 
the same result (either always or always 1). However, we can decompose 
each mixed strategy in a unique way into a convex linear combination of pure 
strategies, and this can be used to show that there is no classical coin tossing 



protocol, which admits the kind of security contained in Definition 3.1 and 3.2 



Proposition 4.1 There is no (weak) classical coin tossing protocol with bias 
z<\- 

4 In contrast to the security definitions given above this means that we assume limited 
recourses (notepads) of Alice and Bob. This simplifies the analysis of the problem and should 
not be a big restriction (from the practical point of view) if the notepads are fixed but very 
large. 
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Proof. Assume a classical coin tossing protocol (cr^os) is given. Since its 
outcome is by definition probabilistic, a a or o\b (or both) are mixed strategies 
which can be decomposed (in a unique way) into pure strategies. Let us denote 
the sets of pure strategies appearing in this decomposition by Y/ A , Y,' B . Since 
the protocol (<7a,o\b) is correct, each pair (sa,sb) £ H'a x H' B leads to a valid 
outcome, i.e. either or 1 on both sides. Hence there are two possibilities to 
construct a zero-sum game, either Alice wins if the outcome is and Bob if it 
is 1 or the other way round. In both cases we get a zero-sum two-person game 
with perfect information, no chance moves^] and only two outcomes. In those 
games one player has a winning strategy (cf. Sect. 15.6, 15.7 of i.e. if she 

(or he) follows that strategy she wins with certainty, no matter which strategy 
the opponent uses. This includes in particular the case where the other player 
is honest and follows the protocol. If we apply this arguments to both variants 
of the game, we see that either one player could force both possible outcomes or 
one bit could be forced by both players. Both cases only fit into the definition 
of (weak) coin tossing if the bias is 1/2. This proves the proposition. □ 

Note that the proof is not applicable in the quantum case (in fact there are 
coin tossing protocols with bias less than 1/2 as we will see in Section [|). One 
reason is that in the quantum case one does not have perfect information. E.g. 
if Alice sends a qubit to Bob, he does not know what qubit he got. He could 
perform a measurement, but if he measures in a wrong basis, he will inevitably 
change the qubit. 

Another way to circumvent the negative result of the previous proposition 
is to weaken the assumption that both players can perform any operation on 
their data. A possible practical restriction which come into mind immediately is 
limited computational power, i.e. we can assume that no player is able to solve 
intractable problems like factorization of large integers in an acceptable time. 
Within the definition given above this means that Alice and Bob do not have 
access to all strategies in Ha and but only to certain subsets. Of course, 
such additional restrictions can be imposed as well in the quantum case. To 



3.2 a 



distinguish the much stronger security requirements in Definition 3.1 and 
protocol is sometimes called unconditionally secure, if no additional assumptions 
about the accessible cheating strategies are necessary (loosely speaking: the 
"laws of quantum mechanics" are the only restriction). 



5 The unitary normal form 

A special class of quantum coin tossing arises if: 1. all algebras are quantum, i.e. 
A = B{H A ), B = B(H B ) and M = B{H M ) with Hilbert spaces H A , H B and 
Hm] 2. the initial preparation is pure: p a = a) (ip a\ and \i/>b)('4>b\ with ipA £ 
Ha®T~Lm and ipB £ Ti-B', 3. the operations T A J> , T B ' are unitarily implemented: 
Ta\p) = UjppUjf 1 * with a unitary operator U A on Ha ® Hm and something 
similar holds for Bob and 4. the observables Ea, Eb are projection valued. It is 
easy to see that the corresponding strategies (cta, fg) £ x do not admit 
a proper convex decomposition into other strategies. Hence we will call them 
in the following pure strategies. In contrast to the classical case it is possible 

5 That means there are no outside probability experiments like dice throws. 
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to construct correct coin tossing protocols with pure strategies. The following 
proposition was stated for the first time (in a less explicit way) in j^] and shows 
that we can replace a mixed strategy always by a pure one without loosing 
security. 

Proposition 5.1 For each strategy a a £ T,a{A, M) with A C B(Ha) there is a 
Hilbert space K,a and a unitary strategy a a £ ^a{A, M.) with A = B{TLa ® K-a) 
such that 

P(a A ,<JB;x,y) =F(a' A ,a B ;x,y) (11) 

holds for all ub £ ^b{B, Ai) (with arbitrary Bob algebra B) and all x,y G 
{0, 1, 0}. A similar statement holds for Bob's strategies. 

Proof. We will only give a sketch of the proof here; the details are given in 
||. Note first that all observable algebras A, B and M are linear subspaces 
of pure quantum algebras, i.e. A C B(Ha), B C B(Hb) and M C B(Hm)- In 
addition it can be shown that Alice's operations T A : A®M — > B{TL a )®B{FLm) 
can be extended to a channel T A ■ B(TLa) <8> B(Hm) —* B(TLa) <8> B(Hm), i-c. 
a quantum operation [jll|; something similar holds for Bob's operations. Hence 
we can restrict the proof to the case where all three observable algebras are 
quantum. Now the statement basically follows from the fact that we can find 
for each item in the sequence Ta = {pa',T a \ . . . ,T A N ';E A ) a "dilation". For 
the operations T A this is just the ancilla representation given in Equation ([!]) , 
i.e. 

T A J \p) = tr 2 (y«(p® |0«)(^)|)^>) (12) 
with a Hilbert space , a unitary VU) onH A ®£ U) and a pure state qP 

) G £ U) 

(and tr 2 denotes the partial trace over £W). Similarly, there is a Hilbert space 
£(°) and a pure state (o) eH A ® £ (0) such that 

^ = tr 2 (|^°))(^°)|) (13) 

holds (i.e. (j)^ is the purification of pa', cf. Sect. 2.2), and finally we have 
a Hilbert space £( N+2 \ a pure state <p^ N+2 ^ and a projection valued measure 
G B(TCa <8> £( a ' +2 )) with 

tr(4 s) p) - tr(FW(p® \4> (N+2) )(cb {N+2) \)), (14) 

this is another concequence of Stinesprings theorem. Now we can define the 
unitary strategy a a as follows: 

IC A = £ (0) ® £ (2) ® • . . ® £ (7V) ® £ (JV+2) (15) 
V M = ® 0< 2 ) ® • • • ® 0<"+« (16) 

f/W = lo ® I 2 ® • • . ® ® • • • ® Ijv <8> (17) 
£7^ = Iq® ...® 1^®^), (18) 

where denotes the unit operator on and in Equation (p~7]) we have im- 
plicitly used the canonical isomorphism between Ha ® A^yi and £w ® ■ • ■ ® FLa ® 
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£( J ) (g) . . . ® £(^+2) . What remains to show, but is omitted here, is to check 
that this a a satisfies Equation (O). □ 



This result allows us to restrict many discussions to pure strategies. This is 
very useful for the proof of no-go theorems or for calculations of general bounds 
on the bias of coin-tossing protoc ols. This concerns in particular the results in Gl 



which apply, due to Proposition 5.1 immediately to the general case introduced 
in Section ^. Many concrete examples (cf. the next section) are however mixed 
protocols and to rewrite them in a pure form is not necessarily helpful. 



6 A particular example 

In this section we are giving a concrete example for a strong coin tossing pro- 
tocol. It has a bias of e = 0.25 and is derived from a quantum bit commitment 
protocol, (a procedure related to coin tossing) given in Q . Bit commitment is 
another two person protocol which is related to coin tossing. It is always possible 
to construct a coin tossing protocol from a bit commitment protocol but not 
the other way round (cf. ||). Hence statements about the security of certain 
bit commitment protocols can be translated into statements about the bias of 
the related coin tossing protocols. This shows together with |l^] that the given 
protocol has the claimed bias. 

6.1 The protocol 

In this protocol we take Ha = Hm = C 3 , TLb = C 3 ® C 3 plus classical parts of 
at most 2 bits for each notepad. The canonical base in the Hilbert space C 3 is 
denoted by \i),i = 0, 1, 2 

1. preparation step: Alice throws a coin, the result is bA G {0, 1}, with prob- 
ability 1/2 each. She stores the result and prepares the system B(Ha) <8> 
B(W M )mthe state | Vb A )(^6 A |, whereto) = 75 (|0, 0) + |1, 2)) and = 
-j= (|1, 1) + |0, 2)) are orthogonal to each other. Bob throws a similar coin, 
and stores the result 65. The initial preparation of his quantum part is 
arbitrary. 

2. Bob reads the mailbox (i.e. swaps it with the second part of his Hilbert 
space) and sends bs to Alice. 

3. Alice receives &b and puts her remaining quantum system into the mail- 
box. 

4. Bob reads the mailbox and puts the system into the first slot of this 
quantum register. 

5. results: The result on Alice's side is bA®bs, where © is the addition modulo 
2. Bob performs a projective measurement on his quantum system with 
p(°) = |V'o)(V'o|,^ (1) = |^i><Vi and P m = 1 - P (0) - with result 
b' A . If everybody followed the protocol b' A — bA- So the result on Bob's 
side is b' A © bs- 
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6.2 Possible cheating strategies 



Now we will give possible cheating strategies for each party which lead to the 
maximal probability of achieving the preferred outcome. For simplicity we just 
look at the case where Alice prefers the outcome to be 0, whereas Bob prefers it 
to be 1, cheating strategies for the other cases are easily derivable. A cheating 
strategy for Bob is to try to distinguish in step || whether Alice has prepared \ipo) 
or \tpt). For this purpose he performs the measurement (|0)(0|, |1)(1|, |2}(2|). If 
the result cb ^ 2 (the probability for this in either case is 1/2) he can identify 
t>A = c b an d set bs = cb © 1 to achieve the overall result 1. If eg = 2 holds, 
he has not learned anything about b A - In that case he just continues with the 
protocol and hopes for the desired result, which appears with the probability 
1/2. [] So the total probability for Bob to achieve the result 0is^ + ^- ^ = j. 

A cheating strategy for Alice is to set in the initial step b A = and to prepare 
the system B(H A ) ® B(H M ) in the state |^) = 4= (|0, 0} + |0, 1) + 2 ■ |1, 2)). 
Then she continues until step pi If bs = she just continues with the proto- 
col. Then the probability that in the last step Bob measures b' B = equals 

tr(|Vo><^o| ' \ipo){ipo\) = KV'olV'o)! 2 = |- If b B = 1 she first applies a unitary 
operator, which swaps |0) and |1), on her system before she sends it to Bob. The 
state on Bob's side is than with = ^= (|1,0) + |1,1) + 2 • |0,2)). 

The probability that Bob measures b' B = 1 equals tr(|^i)(^i| • \tpi){^i\) = 
\{tjji\tpi)\ 2 = 4. So the total probability for Alice to get the outcome is 

1 3 , 1 3 3 

2 ' 4 ' 2 ' 4 4' 

7 Conclusions 

The previous example shows that quantum coin tossig admits, in contrast to 
the classical case, a nontrivial bias. However, how secure quantum coin tossing 
really is? Can we reach the optimal case (e = 0)? The answer actually is "no", 
or to state it more explicitly: 

Theorem 7.1 There is no (strong or weak) coin tossing protocol with bias e 
0. 

This was first proven by Mayers, Salvail and Chiba-Kohno JlC(| . Later on 
Ambainis recalls the arguments in a more explicit form It is still an open 
question, whether there exists quantum coin tossing protocols with bias arbi- 
trarily near to zero. Ambainis also shows that a coin tossing protocol with a bias 
of at most e must use at least SI (log log •=) rounds of communication. Although 
in that paper he gives only the proof for strong coin tossing, it holds in the weak 

6 After that measurement he is no longer able to figure out which outcome occurs on Alice's 
side, so he just sets his outcome to 1. A similar situation occurs in the cheating strategy for 
Alice, but she is in neither case able to predict the outcome on Bob's side with certainty. 

7 The first attempt for a proof, given by Lo and Chau ||. However, its validity is restricted 
to the case where 'cheating' always influences the probabilities of both valid outcomes. More 
precisely they demand that the probabilities for the outcomes and 1 are equal, for any 
cheating strategy. This restriction is too strong, even if Alice and Bob sit together and throw 
a real coin one of them can always say he (she) does not accept the result (and for example 
refuses to pay his loss) and so put the probability for one outcome to zero while the probability 
for the other one and the outcome invalid are 1/2 each. 
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case as well. It follows that a protocol cannot be made arbitrarily secure (i.e. 
have a sequence of protocols with e — > 0) with just increasing the amount of 
information exchanged in each step. The number of rounds has to go to infinity 
(although very slow). 

The strong coin tossing protocol given in section || has a bias of e = 0.25. 
Another one with the same bias is given by Ambainis [jl). No strong protocol 
with provable smaller bias is known yet. The best known weak protocol is given 
by Spekkens and Rudolph Q and has a bias of e = A= — | = 0.207 ... . 
Although this is still far from arbitrarily secure, it shows another distinction 
between classical and quantum information, as in a classical world no protocol 
with bias smaller than 0.5 is possible. 

Another interesting topic in quantum coin tossing is the question of cheat- 
sensitivity, that means how much can each player increase the probability of one 
outcome without risking being caught cheating. For more about this cf e.g. Jl3[ 
or 1- 
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